Security

I have a customer that is looking to reverse the machine/user authentication process.

1.) machine authentication occurs at reboot/login and CoA is pushed from ClearPass for a particular VLAN

2.) user authentication then occurs but only as a validation that that the user is part of AD, no additional enforcement is expected

This seems like a simple configuration but I cannot seem to figure it out. Is there a way to configure a machine authentication policy with VLAN enforcement without adding the user authentication?

Thank you for your time and assistance.

Is the machine authentication VLAN going to be the same as the user authentication VLAN?  If yes, why even bother with COA?

The customer wants the VLAN follow the machine around only.  The user authentication would only be a validation but would not perform a CoA.  A user does not belong to a specific department so they should be able to authenticate to the machine regardless of which network it belongs to.  Does that make sense?

Is this wired or wireless connectivity?

Changing VLANs between user and machine authentication many times breaks domain connectivity and can interrupt normal function like login scripts from running.  It should not be done in most circumstances.

This is wired connectivity.  They are special machines that they want to have plugged in and immediately be part of a specific VLAN without any user interaction.  I was hoping there was some operation with machine authentication only that would support this.  I am not looking to have the user authentication change the VLAN again, only to log the user in.  The machine would remain in the original VLAN that was set when the machine OU was read from ClearPass.

So you should have the machine configured for machine authentication only.

So with machine authentication only on the client, that will trigger ClearPass to perform a VLAN change for the device once plugged in (without a user authentication)?

You of course have to write an enforcement policy that determines if it is an incoming machine authentication and then send back and enforcement profile with a radius attribute that sends the VLAN back to the switch.  You have the option of looking to see if the device authenticating is in a certain device AD group and then sending back an enforcement profile with the radius attribute that your switch uses to determine the vlan.

An example of how you would do this with a  Cisco switch is here:  http://community.arubanetworks.com/t5/Community-Tribal-Knowledge-Base/TechNote-v1-2-Cisco-Switch-Setup-with-ClearPass-Policy-Manager/ta-p/70722

Thank you for your replies.  As you suggested, the only way to get this working the way the customer wanted was to perform "computer authentication" only from the Windows supplicant.  Since user and machine authentication appear as two separate entries that hit the same service policy, we had to find a way to just ignore the user auth.  Of course this limits the visibility in ClearPass but the customer was not concerned with this.